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DETAILED ACTION 

1 . This action is in response to correspondence filed 1 7 April 2008. 

2. Claims 1 , 2, 4, 6-34, 36, and 38-67 remain pending. 

Response to Amendment 

3. Applicant's amendment to claims 68 and claim 69 has been entered into the 
record and overcomes the prior claim rejection under 35 USC 112, second paragraph. 
The rejection has been withdrawn. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. This application currently names joint inventors. In considering patentability of 
the claims under 35 U.S.C. 103(a), the examiner presumes that the subject matter of 
the various claims was commonly owned at the time any inventions covered therein 
were made absent any evidence to the contrary. Applicant is advised of the obligation 
under 37 CFR 1 .56 to point out the inventor and invention dates of each claim that was 
not commonly owned at the time a later invention was made in order for the examiner to 
consider the applicability of 35 U.S.C. 103(c) and potential 35 U.S.C. 102(e), (f) or (g) 
prior art under 35 U.S.C. 103(a). 
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6. Claims 1,2,4, 6-1 9, 26-30, 33, 34, 36, 38-51 , 58-62, 65-67 are rejected under 35 
U.S.C. 1 03(a) as being unpatentable over Howard in view of Carter et al. (US 
2003/0051026), hereinafter referred to as Carter. 

7. Regarding claim 1 , Howard teaches a filtering apparatus which is interposed 
between a client and a server providing a service in accordance with each of access 
requests from the client, and which transmits only a legal access request among the 
access requests to the server, the filtering apparatus comprising: 

an illegal pattern database which stores patterns of illegal accesses to the server 
(col. 7, II. 24-30, Howard discloses the use of a memory location containing one or more 
patterns that have been defined and make up a pattern collection); 

a pattern estimation unit which estimates legality of an access request based on 
the illegal access patterns stored in the illegal pattern database and on a predetermined 
pattern estimation rule (col. 7, line 66 - col. 8, line 20, Howard teaches the evaluation of 
input strings to determine the presence of input strings.); 

a pattern determination unit which determines whether each access request is to 
be transmitted to the server based on the estimation by the pattern estimation unit and 
on a predetermined pattern determination rule, the pattern determination unit producting 
a determination result (col. 8, II. 21-23, Howard teaches that if it is determined that 
attack patterns are present, then remedial actions are taken as necessary to eliminate 
risks to the server system). 

a transmission unit which controls transmission of the access request based on 
determination result of the pattern determination unit so as to transmit the access 
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request to the server when the access request is estimated to be legal, and so as to 
reject transmission of the access request to the server and so as to abandon the 
request when the access request is estimated to be illegal (col. 7, II. 36-58, Howard 
teaches that if no attack patterns have been found, then processing continues as 
normal and if it is determined that the input string contains attack pattern(s) then 
remedial action is taken, including the denial of a request altogether from the client to 
the server.). 

Howard does not explicitly teach of wherein the pattern estimation unit calculates 
a predetermined estimation value according to a degree of correspondence of the 
access requests to the illegal access patterns stored in the illegal pattern database; and 
the pattern determination unit compares the estimation value calculated by the pattern 
estimation unit with a predetermined threshold value, and determines whether the 
access request is to be transmitted to the server. However, Carter teaches on this 
aspect in paragraph 0006 and 0447 wherein Carter teaches the calculation of 
comparisons to prior occurrences to infer appropriate countermeasures and wherein the 
knowledge learned from new threats may be communicated to other systems. One of 
ordinary skill in the art at the time of the applicant's invention would have found it 
obvious to combine what Carter teaches with Howard. One of ordinary skill in the art at 
the time of invention would have been motivated to make the above mentioned 
modifications for the reasons discussed in Carter wherein Carter teaches the ability to 
expand a knowledge base with information relating to unanticipated events is desirable 
in a network system. 
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8. Regarding claim 2, Howard and Carter teach the filtering apparatus wherein 

the pattern estimation unit estimates that each of the access requests is an illegal 
access if the access request corresponds to any one of the illegal access patterns 
stored in the illegal pattern database, and estimates that the access request is a legal 
access if the access request does not correspond to any one of the illegal access 
patterns stored in the illegal pattern database (Howard, col. 8, II. 21-23, Howard teaches 
that if it is determined that attack patterns are present, then remedial actions are taken 
as necessary to eliminate risks to the server system); and 

the pattern determination unit determines that the access request estimated as 
the illegal access by the pattern estimation unit is not to be transmitted to the server, 
and determines that the access request estimated as the legal access by the pattern 
estimation unit is to be transmitted to the server (Howard, col. 8, II. 21-23, Howard 
teaches that if it is determined that attack patterns are present, then remedial actions 
are taken as necessary to eliminate risks to the server system). 

9. Regarding claim 4, Howard and Carter teach about a legal pattern database 
which stores ... and a predetermination unit which predetermines whether each of the 
access requests corresponds... (Howard, col. 7, II. 36-58). Howard does not explicitly 
teach of wherein the pattern estimation unit estimates the legality of only the access 
request determined not to correspond to any one of the legal access patterns by the 
predetermination unit. Carter teaches on this aspect Paragraph [0006]. One of 
ordinary skill in the art at the time of invention would have been motivated to make the 
above mentioned modifications for the reasons discussed in Carter, Paragraph[0005]. 
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10. Regarding claim 6, Howard and Carter teach a filtering apparatus further 
comprising a storage unit which stores each of the access requests determined not to 
be transmitted to the server by the pattern determination unit, in a predetermined 
storage medium based on a predetermined storage rule (Howard, fig. 4, storage unit). 

1 1 . Regarding claim 7, Howard and Carter teach the need for an update unit which 
updates the illegal pattern database (Howard, col. 7, II. 24-26). 

12. Regarding claim 8, Howard and Carter teach about an access request 
transmission unit which transmits, as a legal access request, (Howard, col. 7, II. 36-58) 
but does not explicitly teach of only the access request determined to be transmitted to 
the server by the pattern and statistic determination units, to the server statistically 
illegal request database .... from the statistic of the access requests for the server; a 
statistic estimation unit ... a statistic determination unit; Carter implicitly teaches on 
these aspects. Carter teaches of using statistical analysis to detect anomalous events 
(Page 58, 2 nd Col, Claim 20). One of ordinary skill in the art at the time of invention 
would have been motivated to make the above mentioned modifications for the reasons 
discussed in Carter, Paragraph [0005]. 

13. Regarding claim 9, Howard and Carter teach the filtering apparatus wherein the 
statistically illegal request database stores transmitting end information on the clients 
each of which issues access requests within a predetermined time, the number of the 
access requests exceeding a predetermined number, among the clients who transmit 
the access requests to the server (Carter, Page 58, 2 nd Col, Claim 20, Paragraph 
[0205,0204,0216]); 
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the statistic estimation unit estimates that each of the access requests is the 
illegal access if the transmitting end information on the access request corresponds to 
any one of the transmitting end information stored in the statistically illegal request 
database, and estimates that the access request is the legal access if the transmitting 
end information on the access request does not correspond to any one of the 
transmitting end information stored in the statistically illegal request database (Carter, 
Page 58, 2 nd Col, Claim 20, Paragraph [0205,0204,0216]); and 

the statistic determination unit determines that the access request estimated as 
the illegal access by the statistic estimation unit is not to be transmitted to the server, 
and determines that the access request estimated as the legal access by the statistic 
estimation unit is to be transmitted to the server (Carter, Page 58, 2 nd Col, Claim 20, 
Paragraph [0205,0204,0216]). 

14. Regarding claim 10, Howard and Carter teach the filtering apparatus wherein 
the statistically illegal request database stores request contents of the access 
requests within a predetermined time, the number of the access requests of each 
request content exceeding a predetermined number, among request contents of the 
access requests transmitted to the server (Carter, Page 58, 2 nd Col, Claim 20, 
Paragraph [0205,0204,0216]); 

the statistic estimation unit estimates that the access request of each of the 
access requests is the illegal access if the request content of the access request 
corresponds to any one of the request contents stored in the statistically illegal request 
database, and estimates that the access request is the legal access if the request 
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content of the access request does not correspond to any one of the request contents 
stored in the statistically illegal request database (Carter, Page 58, 2 nd Col, Claim 20, 
Paragraph [0205,0204,0216]); and 

the statistic determination unit determines that the access request estimated as 
the illegal access by the statistic estimation unit is not to be transmitted to the server, 
and determines that the access request estimated as the legal access by the statistic 
estimation unit is to be transmitted to the server (Carter, Page 58, 2 nd Col, Claim 20, 
Paragraph [0205,0204,0216]). 

15. Regarding claim 1 1 , Howard and Carter teach the filtering apparatus wherein 
the statistically illegal request database stores transmitting end information on 
the clients each of which issues access requests, the number of which exceeds a 
predetermined number within a predetermined time, among the clients who transmit the 
access requests to the server, and stores request contents of the access requests, the 
number of which exceeds a predetermined number within a predetermined time, among 
the request contents of the access requests transmitted to the server (Carter, Page 58, 
2 nd Col, Claim 20, Paragraph [0205,0204,0216]); 

the statistic estimation unit estimates that each of the access requests is the 
illegal access if the transmitting end information on the access request corresponds to 
any one of the transmitting end information stored in the statistically illegal request 
database or the request content of the access request corresponds to any one of the 
request contents stored in the statistically illegal request database, and estimates that 
the access request is the legal access if the transmitting end information on the access 
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request does not correspond to any one of the transmitting end information stored in the 
statistically illegal request database and the request content of the access requests 
does not correspond to any one of the request contents stored in the statistically illegal 
request database (Carter, Page 58, 2 nd Col, Claim 20, Paragraph [0205,0204,0216]); 

the statistic determination unit determines that the access request estimated as 
the illegal access by the statistic estimation unit is not to be transmitted to the server, 
and determines that the access request estimated as the legal access by the statistic 
estimation unit is to be transmitted to the server (Carter, Page 58, 2 nd Col, Claim 20, 
Paragraph [0205,0204,0216]). 

16. Regarding claim 12, Howard and Carter teach the filtering apparatus wherein 
the statistically illegal request database stores transmitting end information on 
the clients each of which issues access requests, the number of which exceeds a 
predetermined number within a predetermined time, among the clients who transmit the 
access requests to the server, and stores request contents of the access requests, the 
number of which a predetermined number within a predetermined time, among the 
request contents of the access requests transmitted to the server (Carter, Paragraph 
[0204-0205, 0216,0006]); 

the statistic estimation unit calculates a predetermined estimation value 
according to a degree to which the transmitting end information on each of the access 
requests to the request content of the access request correspond to the transmitting 
end information and the request contents stored in the statistically illegal request 
database, respectively (Carter, Paragraph [0204-0205, 0216,0006]); and 
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the statistic determination unit compares the estimation value calculated by the 
statistic estimation unit with a predetermined threshold value, and determines whether 
the access request is to be transmitted to the server (Carter, Paragraph [0204-0205, 
0216,0006]). 

17. Regarding claim 13, Howard and Carter teach the filtering apparatus according to 
claim 8, wherein the statistic estimation unit estimates the legality of only the access 
request determined to be transmitted to the server by the pattern determination unit 
(Carter, Paragraph [0204-0205, 0216,0006]). 

18. Regarding claim 14, Howard and Carter teach the filtering apparatus according to 
claim 8, wherein the pattern estimation unit estimates the legality of only the access 
request determined to be transmitted to the server by the statistic determination unit 
(Carter, Paragraph [0204-0205, 0216,0006]). 

19. Regarding claim 15, Howard and Carter teach he filtering apparatus according to 
claim 8, wherein the predetermination unit predetermines whether only the access 
request determined to be transmitted to the server by the statistic determination unit 
corresponds to any one of the legal access patterns stored in the legal pattern database 
(Carter, Paragraph [0204-0205, 0216,0006]). 

20. Regarding claim 16, Howard and Carter teach the filtering apparatus according to 
claims 8, further comprising a external transmission unit which transmits the access 
requests which are not transmitted to the server by the access request transmission 
unit, to the predetermined external device based on a predetermined external 
transmission rule (Carter, Paragraph [0006, lines 17-19). 
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21 . Regarding claim 17, Howard and Carter teach the filtering apparatus according to 
claim 8, further comprising a storage unit which stores the access requests which are 
not transmitted to the server by the access request transmission unit, to the 
predetermined storage medium based on a predetermined storage rule (Howard, Fig 4 
storage). 

22. Regarding claim 18, Howard and Carter teach the filtering apparatus according to 
claim 8, further comprising a update unit which updates the statistically illegal request 
database, the statistic estimation rule, the statistic determination rule, the external 
transmission rule, and at least one of the storage rule and a predetermined update rule, 
based on at least one of the predetermined update rule and the statistic of the access 
requests to the server (Howard, col. 7, II. 24-26). 

23. Regarding claim 19, Howard and Carter teach the filtering apparatus according to 
claim 1 8, wherein the update unit performs any one or both of addition and deletion of at 
least one of the transmitting end information and the request contents stored in the 
statistically illegal request database, according to any one or both of the number of 
access requests for each client who transmits the access requests to the server within 
the predetermined time and the number of access requests for each request content of 
the access requests transmitted to the server within the predetermined time (Howard, 
col. 7, II. 24-26). 

24. Regarding claim 26, Howard and Carter teach the filtering apparatus according to 
claim 1, further comprising 
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an access request decryption unit which decrypts an access request which has 
been subjected to a predetermined encryption processing, wherein the pattern 
estimation unit, the predetermination unit or the statistic estimation unit estimates or 
determines the access request decrypted by the access request decryption unit (Carter, 
Paragraph [0225-0226]). 

25. Regarding claim 27, Howard and Carter teach the filtering apparatus according to 
claim 26, wherein if only the legal access request among the access requests is to be 
transmitted to the server, not the access request decrypted by the access request 
decryption unit but the access request which has been subjected to the predetermined 
encryption processing is transmitted to the server (Carter, Paragraph [0225-0226]) 

26. Regarding claim 28, Howard and Carter teach the filtering apparatus according to 
claim 26, further comprising a response decryption unit which decrypts a response 
which has been subjected to a predetermined encryption processing, wherein the 
response estimation unit estimates the response decrypted by the response decryption 
unit (Carter, Paragraph [0225-0226]) 

27. Regarding claim 29, Howard and Carter teach the filtering apparatus according to 
claim 28, wherein if only the legal response among the responses is to be transmitted to 
the client, not the response decrypted by the response decryption unit but the response 
which has been subjected to the predetermined encryption processing is transmitted to 
the client (Carter, Paragraph [0225-0226]) 

28. Regarding claim 30, Howard and Carter teach the filtering apparatus according to 
claim 1, further comprising: 
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a pseudo-response database which stores pseudo-responses corresponding to 
the patterns of the illegal accesses to the server, respectively, and each indicating that 
the corresponding illegal access is successful or successfully proceeding (Howard, 
Figure 4); 

a pseudo-response creation unit which creates pseudo-responses corresponding 
to the patterns of the access requests, each of which is determined as the illegal access 
and is not transmitted to the server, respectively while referring to the pseudo-response 
database (Howard, Figure 4); and 

a pseudo-response transmission unit which transmits the pseudo-responses 
created by the pseudo-response creation unit to the clients, respectively (Howard, 
Figure 4). 

29. Regarding claim 33, Howard teaches a filtering method used on a client and a 
server providing a service in accordance with each of access requests from the client, 
and which transmits only a legal access request among the access requests to the 
server, the method comprising: 

a pattern estimation step of referring to an illegal pattern database which stores 
patterns of illegal accesses to the server, and estimating legality of an access request 
based on the illegal access patterns referred to and on a predetermined pattern 
estimation rule (col. 7, line 66 - col. 8, line 20, Howard teaches the evaluation of input 
strings to determine the presence of input strings.); 

a pattern determination step of determining whether the access request is to be 
transmitted to the server based on an estimation result at the pattern estimation step 
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and on a predetermined pattern determination rule (col. 8, II. 21-23, Howard teaches 
that if it is determined that attack patterns are present, then remedial actions are taken 
as necessary to eliminate risks to the server system); and 

a transmission controlling step of controlling transmission of the access request 
based on determination result of the pattern determination step so as to transmit the 
access request to the server when the access request is estimated to be legal, and so 
as to reject transmission of the access request to the server and so as to abandon the 
request when the access request is estimated to be illegal (col. 7, II. 36-58, Howard 
teaches that if no attack patterns have been found, then processing continues as 
normal and if it is determined that the input string contains attack pattern(s) then 
remedial action is taken, including the denial of a request altogether from the client to 
the server.); 

wherein the pattern estimation step includes calculating a predetermined 
estimation value according to a degree of correspondence of the access requests to the 
illegal access patterns stored in the illegal pattern database; and 

the pattern determination step includes comparing the estimation value 
calculated in the pattern estimation step with a predetermined threshold value, and 
determining whether the access request is to be transmitted to the server. 

Howard does not explicitly teach of wherein the pattern estimation unit calculates 
a predetermined estimation value according to a degree of correspondence of the 
access requests to the illegal access patterns stored in the illegal pattern database; and 
the pattern determination unit compares the estimation value calculated by the pattern 
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estimation unit with a predetermined threshold value, and determines whether the 
access request is to be transmitted to the server. However, Carter teaches on this 
aspect in paragraph 0006 and 0447 wherein Carter teaches the calculation of 
comparisons to prior occurrences to infer appropriate countermeasures and wherein the 
knowledge learned from new threats may be communicated to other systems. One of 
ordinary skill in the art at the time of the applicant's invention would have found it 
obvious to combine what Carter with Howard teaches. One of ordinary skill in the art at 
the time of invention would have been motivated to make the above mentioned 
modifications for the reasons discussed in Carter wherein Carter teaches the ability to 
expand a knowledge base with information relating to unanticipated events is desirable 
in a network system. 

30. Regarding claim 34, Howard discloses the filtering apparatus wherein 

the pattern estimation unit estimates that each of the access requests is an illegal 
access if the access request corresponds to any one of the illegal access patterns 
stored in the illegal pattern database, and estimates that the access request is a legal 
access if the access request does not correspond to any one of the illegal access 
patterns stored in the illegal pattern database (col. 8, II. 21-23, Howard teaches that if it 
is determined that attack patterns are present, then remedial actions are taken as 
necessary to eliminate risks to the server system); and 

the pattern determination unit determines that the access request estimated as 
the illegal access by the pattern estimation unit is not to be transmitted to the server, 
and determines that the access request estimated as the legal access by the pattern 
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estimation unit is to be transmitted to the server (col. 8, II. 21-23, Howard teaches that if 
it is determined that attack patterns are present, then remedial actions are taken as 
necessary to eliminate risks to the server system). 

31 . Regarding claim 36, Howard and Carter teach about a legal pattern database 
which stores ... and a predetermination unit which predetermines whether each of the 
access requests corresponds... (Howard, col. 7, II. 36-58). Howard does not explicitly 
teach of wherein the pattern estimation unit estimates the legality of only the access 
request determined not to correspond to any one of the legal access patterns by the 
predetermination unit. Carter teaches on this aspect Paragraph [0006]. One of 
ordinary skill in the art at the time of invention would have been motivated to make the 
above mentioned modifications for the reasons discussed in Carter, Paragraph[0005]. 

32. Regarding claim 38, Howard and Carter teach the filtering method according to 
claim 33, further comprising a storage step of storing each of the access requests 
determined not to be transmitted to the server in the pattern determination step, in a 
predetermined storage medium based on a predetermined storage rule (Howard, Fig 4 
storage). 

33. Regarding claim 39, Howard and Carter teach the filtering method according to 
claim 33, further comprising an update step of updating the illegal pattern database, the 
legal pattern database, the pattern estimation rule, the pattern determination rule, the 
external transmission rule, the storage rule, or a predetermined update rule, based on 
the predetermined update rule (Howard, col. 7, II. 24-26). 
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34. Regarding claim 40, Howard and Carter teach about an access request 
transmission unit which transmits, as a legal access request, (Howard, col. 7, II. 36-58) 
but does not explicitly teach of only the access request determined to be transmitted to 
the server by the pattern and statistic determination units, to the server statistically 
illegal request database .... from the statistic of the access requests for the server; a 
statistic estimation unit ... a statistic determination unit; Carter implicitly teaches on 
these aspects. Carter teaches of using statistical analysis to detect anomalous events 
(Page 58, 2 nd Col, Claim 20). One of ordinary skill in the art at the time of invention 
would have been motivated to make the above mentioned modifications for the reasons 
discussed in Carter, Paragraph [0005]. 

35. Regarding claim 41 , Howard and Carter teach the filtering apparatus wherein the 
statistically illegal request database stores transmitting end information on the clients 
each of which issues access requests within a predetermined time, the number of the 
access requests exceeding a predetermined number, among the clients who transmit 
the access requests to the server (Carter, Page 58, 2 nd Col, Claim 20, Paragraph 
[0205,0204,0216]); 

the statistic estimation unit estimates that each of the access requests is the 
illegal access if the transmitting end information on the access request corresponds to 
any one of the transmitting end information stored in the statistically illegal request 
database, and estimates that the access request is the legal access if the transmitting 
end information on the access request does not correspond to any one of the 
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transmitting end information stored in the statistically illegal request database (Carter, 
Page 58, 2 nd Col, Claim 20, Paragraph [0205,0204,0216]); and 

the statistic determination unit determines that the access request estimated as 
the illegal access by the statistic estimation unit is not to be transmitted to the server, 
and determines that the access request estimated as the legal access by the statistic 
estimation unit is to be transmitted to the server (Carter, Page 58, 2 nd Col, Claim 20, 
Paragraph [0205,0204,0216]). 

36. Regarding claim 42, Howard and Carter teach the filtering apparatus wherein 
the statistically illegal request database stores request contents of the access 
requests within a predetermined time, the number of the access requests of each 
request content exceeding a predetermined number, among request contents of the 
access requests transmitted to the server (Carter, Page 58, 2 nd Col, Claim 20, 
Paragraph [0205,0204,0216]); 

the statistic estimation unit estimates that the access request of each of the 
access requests is the illegal access if the request content of the access request 
corresponds to any one of the request contents stored in the statistically illegal request 
database, and estimates that the access request is the legal access if the request 
content of the access request does not correspond to any one of the request contents 
stored in the statistically illegal request database (Carter, Page 58, 2 nd Col, Claim 20, 
Paragraph [0205,0204,0216]); and 

the statistic determination unit determines that the access request estimated as 
the illegal access by the statistic estimation unit is not to be transmitted to the server, 
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and determines that the access request estimated as the legal access by the statistic 
estimation unit is to be transmitted to the server (Carter, Page 58, 2 nd Col, Claim 20, 
Paragraph [0205,0204,0216]). 

37. Regarding claim 43, Howard and Carter teach the filtering apparatus wherein 
the statistically illegal request database stores transmitting end information on 
the clients each of which issues access requests, the number of which exceeds a 
predetermined number within a predetermined time, among the clients who transmit the 
access requests to the server, and stores request contents of the access requests, the 
number of which exceeds a predetermined number within a predetermined time, among 
the request contents of the access requests transmitted to the server (Carter, Page 58, 
2 nd Col, Claim 20, Paragraph [0205,0204,0216]); 

the statistic estimation unit estimates that each of the access requests is the 
illegal access if the transmitting end information on the access request corresponds to 
any one of the transmitting end information stored in the statistically illegal request 
database or the request content of the access request corresponds to any one of the 
request contents stored in the statistically illegal request database, and estimates that 
the access request is the legal access if the transmitting end information on the access 
request does not correspond to any one of the transmitting end information stored in the 
statistically illegal request database and the request content of the access requests 
does not correspond to any one of the request contents stored in the statistically illegal 
request database (Carter, Page 58, 2 nd Col, Claim 20, Paragraph [0205,0204,0216]); 
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the statistic determination unit determines that the access request estimated as 
the illegal access by the statistic estimation unit is not to be transmitted to the server, 
and determines that the access request estimated as the legal access by the statistic 
estimation unit is to be transmitted to the server (Carter, Page 58, 2 nd Col, Claim 20, 
Paragraph [0205,0204,0216]). 

38. Regarding claim 44, Howard and Carter teach the filtering apparatus wherein 
the statistically illegal request database stores transmitting end information on 
the clients each of which issues access requests, the number of which exceeds a 
predetermined number within a predetermined time, among the clients who transmit the 
access requests to the server, and stores request contents of the access requests, the 
number of which a predetermined number within a predetermined time, among the 
request contents of the access requests transmitted to the server (Carter, Paragraph 
[0204-0205, 0216,0006]); 

the statistic estimation unit calculates a predetermined estimation value 
according to a degree to which the transmitting end information on each of the access 
requests to the request content of the access request correspond to the transmitting 
end information and the request contents stored in the statistically illegal request 
database, respectively (Carter, Paragraph [0204-0205, 0216,0006]); and 

the statistic determination unit compares the estimation value calculated by the 
statistic estimation unit with a predetermined threshold value, and determines whether 
the access request is to be transmitted to the server (Carter, Paragraph [0204-0205, 
0216,0006]). 
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39. Regarding claim 45, Howard and Carter teach the filtering apparatus according to 
claim 8, wherein the statistic estimation unit estimates the legality of only the access 
request determined to be transmitted to the server by the pattern determination unit 
(Carter, Paragraph [0204-0205, 0216,0006]). 

40. Regarding claim 46, Howard and Carter teach the filtering apparatus according to 
claim 8, wherein the pattern estimation unit estimates the legality of only the access 
request determined to be transmitted to the server by the statistic determination unit 
(Carter, Paragraph [0204-0205, 0216,0006]). 

41 . Regarding claim 47, Howard and Carter teach he filtering apparatus according to 
claim 8, wherein the predetermination unit predetermines whether only the access 
request determined to be transmitted to the server by the statistic determination unit 
corresponds to any one of the legal access patterns stored in the legal pattern database 
(Carter, Paragraph [0204-0205, 0216,0006]). 

42. Regarding claim 48, Howard and Carter teach the filtering apparatus further 
comprising a external transmission unit which transmits the access requests which are 
not transmitted to the server by the access request transmission unit, to the 
predetermined external device based on a predetermined external transmission rule 
(Carter, Paragraph [0006, lines 17-19). 

43. Regarding claim 49, Howard and Carter teach the filtering apparatus further 
comprising a storage unit which stores the access requests which are not transmitted to 
the server by the access request transmission unit, to the predetermined storage 
medium based on a predetermined storage rule (Howard, Figure 4). 
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44. Regarding claim 50, Howard and Carter teach the filtering apparatus further 
comprising a update unit which updates the statistically illegal request database, the 
statistic estimation rule, the statistic determination rule, the external transmission rule, 
and at least one of the storage rule and a predetermined update rule, based on at least 
one of the predetermined update rule and the statistic of the access requests to the 
server (Howard, col. 7, II. 24-26). 

45. Regarding claim 51 , Howard and Carter teach the filtering apparatus wherein the 
update unit performs any one or both of addition and deletion of at least one of the 
transmitting end information and the request contents stored in the statistically illegal 
request database, according to any one or both of the number of access requests for 
each client who transmits the access requests to the server within the predetermined 
time and the number of access requests for each request content of the access 
requests transmitted to the server within the predetermined time (Howard, col. 7, II. 24- 
26). 

46. Regarding claim 58, Howard and Carter teach the filtering apparatus further 
comprising 

an access request decryption unit which decrypts an access request which has 
been subjected to a predetermined encryption processing, wherein the pattern 
estimation unit, the predetermination unit or the statistic estimation unit estimates or 
determines the access request decrypted by the access request decryption unit (Carter, 
Paragraph [0225-0226]) 
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47. Regarding claim 59, Howard and Carter teach the filtering apparatus wherein if 
only the legal access request among the access requests is to be transmitted to the 
server, not the access request decrypted by the access request decryption unit but the 
access request which has been subjected to the predetermined encryption processing 
is transmitted to the server (Carter, Paragraph [0225-0226]) 

48. Regarding claim 60, Howard and Carter teach the filtering apparatus further 
comprising a response decryption unit which decrypts a response which has been 
subjected to a predetermined encryption processing, wherein the response estimation 
unit estimates the response decrypted by the response decryption unit (Carter, 
Paragraph [0225-0226]) 

49. Regarding claim 61 , Howard and Carter teach the filtering apparatus wherein if 
only the legal response among the responses is to be transmitted to the client, not the 
response decrypted by the response decryption unit but the response which has been 
subjected to the predetermined encryption processing is transmitted to the client 
(Carter, Paragraph [0225-0226]) 

50. Regarding claim 62, Howard and Carter teach the filtering apparatus further 
comprising: 

a pseudo-response database which stores pseudo-responses corresponding to 
the patterns of the illegal accesses to the server, respectively, and each indicating that 
the corresponding illegal access is successful or successfully proceeding (Howard, 
Figure 4); 
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a pseudo-response creation unit which creates pseudo-responses corresponding 
to the patterns of the access requests, each of which is determined as the illegal access 
and is not transmitted to the server, respectively while referring to the pseudo-response 
database (Howard, Figure 4); and 

a pseudo-response transmission unit which transmits the pseudo-responses 
created by the pseudo-response creation unit to the clients, respectively (Howard, 
Figure 4). 

51 . Regarding claim 65, Howard teaches a filtering method used on a client and a 
server providing a service in accordance with each of access requests from the client, 
and which transmits only a legal access request among the access requests to the 
server, the method comprising: 

a pattern estimation step of referring to an illegal pattern database which stores 
patterns of illegal accesses to the server, and estimating legality of an access request 
based on the illegal access patterns referred to and on a predetermined pattern 
estimation rule (col. 7, line 66 - col. 8, line 20, Howard teaches the evaluation of input 
strings to determine the presence of input strings.); 

a pattern determination step of determining whether the access request is to be 
transmitted to the server based on an estimation result at the pattern estimation step 
and on a predetermined pattern determination rule (col. 8, II. 21-23, Howard teaches 
that if it is determined that attack patterns are present, then remedial actions are taken 
as necessary to eliminate risks to the server system); and 
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a transmission controlling step of controlling transmission of the access request 
based on determination result of the pattern determination step so as to transmit the 
access request to the server when the access request is estimated to be legal, and so 
as to reject transmission of the access request to the server and so as to abandon the 
request when the access request is estimated to be illegal (col. 7, II. 36-58, Howard 
teaches that if no attack patterns have been found, then processing continues as 
normal and if it is determined that the input string contains attack pattern(s) then 
remedial action is taken, including the denial of a request altogether from the client to 
the server.); 

wherein the pattern estimation step includes calculating a predetermined 
estimation value according to a degree of correspondence of the access requests to the 
illegal access patterns stored in the illegal pattern database; and 

the pattern determination step includes comparing the estimation value 
calculated in the pattern estimation step with a predetermined threshold value, and 
determining whether the access request is to be transmitted to the server. 

Howard does not explicitly teach of wherein the pattern estimation unit calculates 
a predetermined estimation value according to a degree of correspondence of the 
access requests to the illegal access patterns stored in the illegal pattern database; and 
the pattern determination unit compares the estimation value calculated by the pattern 
estimation unit with a predetermined threshold value, and determines whether the 
access request is to be transmitted to the server. However, Carter teaches on this 
aspect in paragraph 0006 and 0447 wherein Carter teaches the calculation of 
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comparisons to prior occurrences to infer appropriate countermeasures and wherein the 
knowledge learned from new threats may be communicated to other systems. One of 
ordinary skill in the art at the time of the applicant's invention would have found it 
obvious to combine what Carter with Howard teaches. One of ordinary skill in the art at 
the time of invention would have been motivated to make the above mentioned 
modifications for the reasons discussed in Carter wherein Carter teaches the ability to 
expand a knowledge base with information relating to unanticipated events is desirable 
in a network system. 

52. Regarding claim 66, Howard discloses a filtering apparatus which is interposed 
between a client and a server providing a service in accordance with each of access 
requests from the client, and which transmits only a legal access request among the 
access requests to the server, the filtering apparatus comprising: 

an illegal pattern database which stores patterns of illegal accesses to the server 
(col. 7, II. 24-30, Howard discloses the use of a memory location containing one or more 
patterns that have been defined and make up a pattern collection); 

a pattern estimation unit which estimates legality of an access request based on 
the illegal access patterns stored in the illegal pattern database and on a predetermined 
pattern estimation rule (col. 7, line 66 - col. 8, line 20, Howard teaches the evaluation of 
input strings to determine the presence of input strings.); 

a pattern determination unit which determines whether each access request is to 
be transmitted to the server based on the estimation by the pattern estimation unit and 
on a predetermined pattern determination rule, the pattern determination unit producting 
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a determination result (col. 8, II. 21-23, Howard teaches that if it is determined that 
attack patterns are present, then remedial actions are taken as necessary to eliminate 
risks to the server system). 

a transmission unit which controls transmission of the access request based on 
determination result of the pattern determination unit so as to transmit the access 
request to the server when the access request is estimated to be legal, and so as to 
reject transmission of the access request to the server and so as to abandon the 
request when the access request is estimated to be illegal (col. 7, II. 36-58, Howard 
teaches that if no attack patterns have been found, then processing continues as 
normal and if it is determined that the input string contains attack pattern(s) then 
remedial action is taken, including the denial of a request altogether from the client to 
the server.). 

Howard does not explicitly teach of wherein the pattern estimation unit calculates 
a predetermined estimation value according to a degree of correspondence of the 
access requests to the illegal access patterns stored in the illegal pattern database; and 
the pattern determination unit compares the estimation value calculated by the pattern 
estimation unit with a predetermined threshold value, and determines whether the 
access request is to be transmitted to the server. However, Carter teaches on this 
aspect in paragraph 0006 and 0447 wherein Carter teaches the calculation of 
comparisons to prior occurrences to infer appropriate countermeasures and wherein the 
knowledge learned from new threats may be communicated to other systems. One of 
ordinary skill in the art at the time of the applicant's invention would have found it 
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obvious to combine what Carter with Howard teaches. One of ordinary skill in the art at 
the time of invention would have been motivated to make the above mentioned 
modifications for the reasons discussed in Carter wherein Carter teaches the ability to 
expand a knowledge base with information relating to unanticipated events is desirable 
in a network system. 

53. Regarding claim 67, Howard teaches a filtering method comprising: 

estimating a legality of an access request based on an illegal access pattern 
stored in an illegal pattern database and on a predetermined pattern estimation rule 
(col. 7, line 66 - col. 8, line 20, Howard teaches the evaluation of input strings to 
determine the presence of input strings.); and 

determining whether the access request is to be abandoned based on the 
estimation of the legality of the access request (col. 8, II. 21-23, Howard teaches that if it 
is determined that attack patterns are present, then remedial actions are taken as 
necessary to eliminate risks to the server system). 

Howard does not explicitly teach of wherein the pattern estimation unit calculates 
a predetermined estimation value according to a degree of correspondence of the 
access requests to the illegal access patterns stored in the illegal pattern database; and 
the pattern determination unit compares the estimation value calculated by the pattern 
estimation unit with a predetermined threshold value, and determines whether the 
access request is to be transmitted to the server. However, Carter teaches on this 
aspect in paragraph 0006 and 0447 wherein Carter teaches the calculation of 
comparisons to prior occurrences to infer appropriate countermeasures and wherein the 
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knowledge learned from new threats may be communicated to other systems. One of 
ordinary skill in the art at the time of the applicant's invention would have found it 
obvious to combine what Carter with Howard teaches. One of ordinary skill in the art at 
the time of invention would have been motivated to make the above mentioned 
modifications for the reasons discussed in Carter wherein Carter teaches the ability to 
expand a knowledge base with information relating to unanticipated events is desirable 
in a network system. 

54. Claims 31 -32 and 63-64 are rejected under 35 U.S.C. 1 03(a) as being 
unpatentable over Howard and Carter and further in view of Cahill (US 6,535,855). 

55. Regarding claim 31 , Howard and Carter do not explicitly teach a decoy unit which 
receives the access requests each of which is determined as the illegal access and is 
not transmitted to the server, and creates, as a decoy of the sever, pseudo- responses 
each indicating that the corresponding illegal access is successful or successfully 
proceeding; and a pseudo-response transmission unit which transmits the pseudo- 
responses created by the decoy unit to the clients, respectively." In related art, Cahill 
teaches on these aspects (Col 12, lines 50-55, Col 13, lines 20-35). One of ordinary 
skill in the art at the time of invention would have been motivated to make the above- 
mentioned modifications for the reasons discussed in Carter (Paragraph [0026]). 

56. Regarding claim 32, Howard implicitly teaches of a pseudo-response database 
which stores pseudo-responses corresponding to the patterns of the illegal accesses ... 
and a pseudo-response transmission unit which transmits the pseudo-responses 
created by the pseudo-response (Fig. 4). Howard does not explicitly teach of a decoy 
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unit which receives the access requests which do not correspond to the illegal access 
patterns stored in the pseudo-response database... Carter teaches of access request 
which do not correspond to the illegal access patterns (Col 9, lines 30-65) and Cahill 
teaches of a decoy unit (Col 13, lines 20-25). Motivation is the same as discussed in 
Claims 8 and Claim 17. 

57. Regarding claim 63, Howard and Carter do not explicitly teach a decoy unit which 
receives the access requests each of which is determined as the illegal access and is 
not transmitted to the server, and creates, as a decoy of the sever, pseudo- responses 
each indicating that the corresponding illegal access is successful or successfully 
proceeding; and a pseudo-response transmission unit which transmits the pseudo- 
responses created by the decoy unit to the clients, respectively." In related art, Cahill 
teaches on these aspects (Col 12, lines 50-55, Col 13, lines 20-35). One of ordinary 
skill in the art at the time of invention would have been motivated to make the above- 
mentioned modifications for the reasons discussed in Carter (Paragraph [0026]). 

58. Regarding claim 64, Howard implicitly teaches of a pseudo-response database 
which stores pseudo-responses corresponding to the patterns of the illegal accesses ... 
and a pseudo-response transmission unit which transmits the pseudo-responses 
created by the pseudo-response (Fig. 4). Howard does not explicitly teach of a decoy 
unit which receives the access requests which do not correspond to the illegal access 
patterns stored in the pseudo-response database... Carter teaches of access request 
which do not correspond to the illegal access patterns (Col 9, lines 30-65) and Cahill 
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teaches of a decoy unit (Col 13, lines 20-25). Motivation is the same as discussed in 
Claims 8 and Claim 17. 

59. Claims 20-21 and 52-53 are rejected under 35 U.S.C. 1 03(a) as being 
unpatentable over Howard and Carter and further in view of Kashani (US 
2002/0165894) and Birrel et al. (US 2003/0135555 A1). 

60. Regarding claim 20, Howard and Carter teach about a database with stores 
patterns of illegal request (col. 7, II. 36-58) but does not explicitly teach the filtering 
apparatus further comprising: an illegal response database which stores patterns of 
illegal responses which should not be transmitted to each of the clients among the 
responses transmitted from the server to each of the clients as the service in 
accordance with the respective access requests; a response estimation unit which 
estimates the legality of each of the responses based on the illegal response patterns 
stored in the illegal response database and a predetermined response estimation rule; a 
response determination unit which determines whether the response is to be 
transmitted to the client based on an estimation result of the response estimation unit 
and on a predetermined response determination rule; and a response transmission unit 
which transmits, as a legal response, only the response determined to be transmitted to 
the client by the response determination unit, to the client. However, in related art, 
Kashani teaches on this aspect (Paragraph [0120]). One of ordinary skill in the art at 
the time of invention would be motivated to make the above-mentioned modifications for 
the reasons discussed in an analogous art (Birrel, Paragraph [0004]). 
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61 . Regarding claim 21 , Howard and Carter teach about a database with stores 
patterns of illegal request (col. 7, II. 36-58) but does not explicitly teach the filtering 
apparatus wherein the response estimation unit estimates that the response is an illegal 
response if the response corresponds to any one of the illegal response patterns stored 
in the illegal response database, and estimates that the response is a legal response if 
the response does not correspond to any one of the illegal response patterns stored in 
the illegal response database; and the response determination unit determines that the 
response estimated as the illegal response by the response estimation unit, is not to be 
transmitted to the client, and determines that the response estimated as the legal 
response by the response estimation unit, is to be transmitted to the client. However, in 
related art, Kashani teaches on this aspect (Paragraph [0120]). One of ordinary skill in 
the art at the time of invention would be motivated to make the above-mentioned 
modifications for the reasons discussed in an analogous art (Birrel, Paragraph [0004]). 

62. Regarding claim 52, Howard and Carter teach about a database with stores 
patterns of illegal request (col. 7, II. 36-58) but does not explicitly teach the filtering 
apparatus further comprising: an illegal response database which stores patterns of 
illegal responses which should not be transmitted to each of the clients among the 
responses transmitted from the server to each of the clients as the service in 
accordance with the respective access requests; a response estimation unit which 
estimates the legality of each of the responses based on the illegal response patterns 
stored in the illegal response database and a predetermined response estimation rule; a 
response determination unit which determines whether the response is to be 
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transmitted to the client based on an estimation result of the response estimation unit 
and on a predetermined response determination rule; and a response transmission unit 
which transmits, as a legal response, only the response determined to be transmitted to 
the client by the response determination unit, to the client. However, in related art, 
Kashani teaches on this aspect (Paragraph [0120]). One of ordinary skill in the art at 
the time of invention would be motivated to make the above-mentioned modifications for 
the reasons discussed in an analogous art (Birrel, Paragraph [0004]). 
63. Regarding claim 53, Howard and Carter teach about a database with stores 
patterns of illegal request (col. 7, II. 36-58) but does not explicitly teach the filtering 
apparatus wherein the response estimation unit estimates that the response is an illegal 
response if the response corresponds to any one of the illegal response patterns stored 
in the illegal response database, and estimates that the response is a legal response if 
the response does not correspond to any one of the illegal response patterns stored in 
the illegal response database; and the response determination unit determines that the 
response estimated as the illegal response by the response estimation unit, is not to be 
transmitted to the client, and determines that the response estimated as the legal 
response by the response estimation unit, is to be transmitted to the client. However, in 
related art, Kashani teaches on this aspect (Paragraph [0120]). One of ordinary skill in 
the art at the time of invention would be motivated to make the above-mentioned 
modifications for the reasons discussed in an analogous art (Birrel, Paragraph [0004]). 
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64. Claims 22-25 and 54-57 are rejected under 35 U.S.C. 1 03(a) as being 
unpatentable over Howard as applied to claims 1 and 33 above, and further in view of 
Carter and Kashani. 

65. Regarding claim 22, Howard does not explicitly teach the response estimation 
unit calculates a predetermined estimation value according to a degree to which the 
response corresponds to the illegal response patterns stored in the illegal response 
database; and the response determination unit compares the estimation value 
calculated by the response estimation unit with a predetermined threshold value, and 
determines whether the response is to be transmitted to the client. Carter teaches on 
threshold value (Paragraph[0006, 0218]. ...external transmission 
unit(Paragraph[0006].... storage of information that is not transmitted(Paragraph[0006]) 
that is not transmitted.... and update unit (Paragraph[0253]) but does not explicitly teach 
about illegal responses. Kashani teaches on this aspect (Paragraph [0120]). Motivation 
is the same as discussed in Claim 8 and Claim 20. 

66. Regarding claim 23, Howard, Carter and Kashani teach the filtering apparatus 
according to claim 20, further comprising an external transmission unit which transmits 
at least one of the response that is not transmitted to the client by the response 
transmission unit and the access request causing the response, to a predetermined 
external device based on a predetermined external transmission rule (Howard, col. 7, 
line 66 -col. 8, line 20). 

67. Regarding claim 24, Howard, Carter and Kashani teach the filtering apparatus 
according to claim 20, further comprising an storage unit which stores at least one of the 
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response that is not transmitted to the client by the response transmission unit and the 
access request causing the response, in the predetermined storage medium based on a 
predetermined storage rule (Howard, col. 7, line 66 - col. 8, line 20). 

68. Regarding claim 25, Howard, Carter and Kashani teach the filtering apparatus 
according to claim 20, further comprising an update unit which updates the illegal 
response database, the response estimation rule, the response determination rule, the 
external transmission rule, and at least one of the storage rule and a predetermined 
update rule, based on a predetermined update rule (Howard, col. 7, line 66 - col. 8, line 
20). 

69. Regarding claim 54, Howard does not explicitly teach the response estimation 
unit calculates a predetermined estimation value according to a degree to which the 
response corresponds to the illegal response patterns stored in the illegal response 
database; and the response determination unit compares the estimation value 
calculated by the response estimation unit with a predetermined threshold value, and 
determines whether the response is to be transmitted to the client. Carter teaches on 
threshold value (Paragraph[0006, 0218]. ...external transmission 
unit(Paragraph[0006].... storage of information that is not transmitted(Paragraph[0006]) 
that is not transmitted.... and update unit (Paragraph[0253]) but does not explicitly teach 
about illegal responses. Kashani teaches on this aspect (Paragraph [0120]). Motivation 
is the same as discussed in Claim 8 and Claim 20. 

70. Regarding claim 55, Howard, Carter and Kashani teach the filtering apparatus 
according to claim 20, further comprising an external transmission unit which transmits 
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at least one of the response that is not transmitted to the client by the response 
transmission unit and the access request causing the response, to a predetermined 
external device based on a predetermined external transmission rule (Howard, col. 7, 
line 66 -col. 8, line 20). 

71 . Regarding claim 56, Howard, Carter and Kashani teach the filtering apparatus 
according to claim 20, further comprising an storage unit which stores at least one of the 
response that is not transmitted to the client by the response transmission unit and the 
access request causing the response, in the predetermined storage medium based on a 
predetermined storage rule (Howard, col. 7, line 66 - col. 8, line 20). 

72. Regarding claim 57, Howard, Carter and Kashani teach the filtering apparatus 
according to claim 20, further comprising an update unit which updates the illegal 
response database, the response estimation rule, the response determination rule, the 
external transmission rule, and at least one of the storage rule and a predetermined 
update rule, based on a predetermined update rule (Howard, col. 7, line 66 - col. 8, line 
20). 

Response to Arguments 

73. Applicant's arguments filed 08 January 2008 have been fully considered but they 
are not persuasive. 

Claim 1 

74. With respect to the rejection of claim 1 under 35 USC 1 03(a) as being 
unpatentable over Howard (US 7,051,368) and Carter (US 2003/0051026), the 
Applicant argues (a) neither Howard nor Carter teach, disclose or suggest estimating 
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the "legality of an access request," let alone "a pattern estimation unit which estimates 
legality of an access request based on the illegal patterns stored in the illegal pattern 
database and on a predetermined pattern estimation rule", (b) neither Howard nor 
Carter teach, disclose, or suggest transmitting "the access request to the server when 
the access request is estimated to be legal," let alone "a transmission unit which 
controls transmission of the access request based on the determination result of the 
pattern determination unit so as to transmit the access request to the server when the 
access request is estimated to be legal", (c) neither Howard nor Carter teach, disclose, 
or suggest calculating "a predetermined estimation value according to a degree of 
correspondence of the access requests to the illegal access patterns stored in the illegal 
pattern database," or comparing "the estimation value calculated by the pattern 
estimation unit with a predetermined threshold value," to "determine whether the access 
request is to be transmitted to the server", (d) the Office Action provides no motivation 
or suggestion to combine the teachings of Howard and Carter as required by 35 USC 
103(a) and the MPEP 706.020(D). 

75. (a) With respect to argument (a), the examiner maintains the position set forth in 
the previous office action and maintains that the Howard reference teaches on the claim 
limitations of estimating the "legality of an access request" and "a pattern estimation unit 
which estimates legality of an access request based on the illegal patterns stored in the 
illegal pattern database and on a predetermined pattern estimation rule" as taught by 
Howard in column 7, line 66 - column 8, line 20. Howard teaches the evaluation of a 
string that is being sent from a client to a server location to determine if the string 
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contains an attack pattern. If an attack pattern is found the string can be identified as a 
string containing an attack pattern and remedial actions may be performed, for example, 
to block the string from being received at the server. The strings being sent from a 
client to a server can be for example a regular expression, a URL, or an HTTP verb 
request. Regarding that to which is claimed by applicants, legality of an access request 
is best understood given broadest reasonable interpretation, the access request being a 
message being sent to a server from a client device wherein legality of the message is 
understood as the determination of whether or not a message should or should not be 
allowed to be forwarded to a server. This interpretation is based on what is provided in 
the applicants' filed specification for example on page 13, lines 13-20. No real guidance 
is given within the claims as to what extent the term "estimation" is to be interpreted 
regarding scope. Therefore, what Howard teaches is deemed to be within the scope of 
the claimed limitation. 

76. (b) With respect to argument (b), the examiner maintains the position set forth in 
the previous office action and maintains that the Howard reference teaches on the claim 
limitations of "the access request to the server when the access request is estimated to 
be legal," let alone "a transmission unit which controls transmission of the access 
request based on the determination result of the pattern determination unit so as to 
transmit the access request to the server when the access request is estimated to be 
legal" wherein Howard teaches in column 7, lines 36-58 that if no attack patterns have 
been found, then processing continues as normal wherein the the request is transmitted 
from the client to the server. 
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77. (c) With respect to argument (c), the examiner maintains the position set forth in 
the previous office action and maintains that the Carter reference teaches on the claim 
limitations of "a predetermined estimation value according to a degree of 
correspondence of the access requests to the illegal access patterns stored in the illegal 
pattern database," or comparing "the estimation value calculated by the pattern 
estimation unit with a predetermined threshold value," to "determine whether the access 
request is to be transmitted to the server" wherein Carter teaches on this aspect in 
paragraph 0006 and 0447 wherein Carter teaches the calculation of comparisons to 
prior occurrences to infer appropriate countermeasures and wherein the knowledge 
learned from new threats may be communicated to other systems. Carter teaches in 
paragraph 0006 the analyzing of communications to ensure that a network operates as 
intended and detects threats within the network and teaches further in paragraph 0470 
the prediction of events based on statistical analysis with respect to probable outcomes. 
The system taught by Carter detects network security problems by drawing 
comparisons to prior occurrences to infer appropriate countermeasures. 

(d) With respect to argument (d), the examiner maintains the combination of 
Carter with Howard. In response to applicant's argument that there is no suggestion to 
combine the references, the examiner recognizes that obviousness can only be 
established by combining or modifying the teachings of the prior art to produce the 
claimed invention where there is some teaching, suggestion, or motivation to do so 
found either in the references themselves or in the knowledge generally available to one 
of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 
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1988)and In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992). In this case, 
one of ordinary skill in the art at the time of invention would have been motivated to 
combine Carter with Howard wherein Carter teaches in paragraph 0005 the ability to 
expand a knowledge base with information relating to unanticipated events is desirable 
in a network system. 
Claims 33, 34, 36, 38-51 and 58-62 

78. Applicant's arguments set forth with respect to claims 33, 34, 36, 38-51 and 58- 
62 are not found persuasive for the same reasons set forth with respect to claim 1 
above. 

Claim 65 

79. Applicant's arguments set forth with respect to claim 65 are not found persuasive 
for the same reasons set forth with respect to claim 1 above. 

Claim 66 

80. Applicant's arguments set forth with respect to claim 66 are not found persuasive 
for the same reasons set forth with respect to claim 1 above. 

Claim 67 

81 . Applicant's arguments set forth with respect to claim 67 are not found persuasive 
for the same reasons set forth with respect to claim 1 above. 

Claims 31, 32, 63 and 64 

82. Applicant's arguments set forth with respect to claims 31 , 32, 63 and 64 are not 
found persuasive for the same reasons set forth with respect to claim 1 above. 
Claims 20, 21, 52 and 53 
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83. Applicant's arguments set forth with respect to claims 20, .21 , 52 and 53 are not 
found persuasive for the same reasons set forth with respect to claim 1 above. 
Claims 22-25 and 54-57 

84. Applicant's arguments set forth with respect to claims 22-25 and 54-57 are not 
found persuasive for the same reasons set forth with respect to claim 1 above. 

85. Therefore, the filed claims are not found patentable over the cited prior art of 
record. 
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Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Benjamin Ailes whose telephone number is (571)272- 
3899. The examiner can normally be reached Monday-Friday, 5:30-8:30AM, 1 :00- 
6:00PM, IFP Hoteling schedule. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Andrew Caldwell can be reached on 571-272-3868. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Andrew Caldwell/ 

Supervisory Patent Examiner, Art 

Unit 2142 

IB. A. A./ 

Examiner, Art Unit 2142 



